Please bear in mind that in the world of cryptography, the difference between proper error messages and information disclosure vulnerabilities is narrow, or only a nuance.
IMHO, you have it backwards. It is the improper error messages that can pose a security risk. If my OpenSSH program is either misconfigured or malfunctiong, and it may be exposing my systems to something nefarious, then how am I to efficiently debug it and get to the bottom of that if I have to contend with its throwing roadblocks in my face?
This is not nuance by any means. It's just poor programming practice. -- Maurice Volaski, mvolaski@xxxxxxxxxxxx Computing Support, Rose F. Kennedy Center Albert Einstein College of Medicine of Yeshiva University
